Thursday, 26 September 2013

The Changing Face of User Authentication and the Road to Bring Your Own Identity

I recently presented on an Infosecurity Magazine
webinar entitled “How to Make Access to your Sensitive Data More Secure - The Easy Way”.
During my presentation I explored how user
authentication is adapting to meet the changes created by a number of linked transformational
trends that include cloud computing, mobility and the Consumerisation of IT.

The presentation focused on one of Goode Intelligence’s specialist areas, mobile-based authentication (both the phone as an
authenticator and mobile authentication when an IT service is accessed from the
mobile device). It also touched on other areas of Identity and Access Management
(IAM) and the development of these corresponding areas is vital to the
successful transformation of user authentication services (both mobile and
non-mobile). It is imperative that we meet the security challenges of the next
generation of IT services – to defend the borderless enterprise.

We are increasingly accessing a huge wealth of digital
information, both inside and outside of the enterprise network, from a myriad
of devices. In this new world of IT, traditional authentication solutions, both
single-factor (passwords) and two-factor (smart cards and OTP tokens), have
become clumsy, inconvenient and less secure. Password management is a headache;
in the main we either write down strong passcodes or alternatively re-use
passwords that we can easily remember (there are password management tools that
exist). Alternatively, when traditional two-factor
authentication is used then this is often not designed for cloud, mobile or
BYOD. Authentication solutions designed for traditional, behind firewall,
enterprise systems are increasingly not effective for new, agile, IT services.

So what are the alternatives? How do we match convenience
and security and ensure identity is successfully proven across a wide variety
of different devices (enterprise-issued and employee-owned) accessing many
services located on-premise, hybrid and wholly in the cloud?

I believe that we are close in achieving the goal of
supporting a much more agile and mobile world of IT service provision with
strong, convenient, authentication. We know what the problem is and we have
many of the building blocks to make this a reality. These building blocks
include Risk-based authentication (RBA), federated identity, multi-factor
authentication and user choice.

At Goode Intelligence, we are seeing increasing demand for
more intelligent forms of authentication where the choice of authentication
method used is real-time risk driven. The financial services sector has been an
early adopter of RBA technology as it has a history of measuring (managing) risk.

RBA matches the most appropriate
authentication method to the assessed risk. To be successful in this you must
first know who the user is and what they plan to do.

User intelligence can be gathered from a number of inputs
and the mobile device can play an important part in this process. When combined
with more active forms of authentication, by learning the unique
characteristics of its owner; where they are usually located (geo-location),
the days and times that they are normally active and even how they hold and
touch the device (behavioural analysis).

An accurate risk score can be calculated by combining user
intelligence with business context. What is the user trying to achieve - Is it
a high-value financial transaction to an unknown recipient or attempting to
access the latest sales data? Based on this risk score the authentication
engine can then choose the most appropriate authentication method to prove
identity. A one-time-password (OTP) generated by the authentication engine and
sent to the user’s registered mobile device via SMS may be sufficient or
alternatively the authentication level may be ‘stepped-up’ to a stronger factor
– a biometric or even a separate hardware device.

Federated Identity –
the road to single sign on and a more frictionless experience

For both enterprise and consumer users the prospect of
having to uniquely identify themselves to multiple applications and web
services is an onerous task. This is probably why for mobile devices the
auto-authenticate option is widely deployed – thumbs up for convenience, thumbs
down for security.

Organisations are increasingly turning their attentions to
Identity federation, sometimes referred to as Single Sign-On (SSO), as
one way to solve this problem. Identity federation allows for a standards-based
way to share identity amongst multiple organisation and applications. Standards
include the Security Assertion Markup Language (SAML), the OpenID
protocol and WS-Federation.

The benefit to the user is that they only need to
authenticate once to access a number of different organisations and
applications. Using techniques such as SAML-insertion identity is then shared
transparently with other applications. The user is authenticated once and then
other application providers can verify the authenticity of the provided
federated identity.

Multi-Factor
Authentication/Identity Verification and context

Two-factor authentication (2FA) is so last year!

Over the last 24 months we have seen virtually all of the
major internet players, Google, Twitter, LinkedIn, Microsoft and Facebook
deploy some form of 2FA (mainly mobile OTP-based). Microsoft was so enamoured
at mobile phone-based 2FA that it acquired a vendor, PhoneFactor. The option to
use 2FA in these networks I usually optional so it is difficult to gauge how
popular these services are outside the InfoSec geek community.

In terms of trends in the authentication market there is a
definite movement towards supporting multiple factors (MFA), sometimes referred
to as infinite factors. This is not necessarily the third factor –
often associated with what you are, biometrics. MFA is about allowing a choice
of factors and then matching them against context.

I feel that the combination of MFA and contextual awareness
is one of the most exciting areas of authentication at the moment and we expect
it to be a standard feature of premium authentication solutions. Many of the
authentication vendors, including RSA, Entrust and SecurEnvoy, have already
increased their portfolio of factors that can be deployed for use with their
authentication engines and I believe that the number of factors, and user
choice, will increase in the next 12 months. Factors include both traditional –
hardware/software tokens and smart cards – and emerging – mobile, biometrics,
image-based and behavioural.

The power of having multiple factors at your disposal is
multiplied when you add contextual analysis. This is where mobile devices
really come into their own as authenticators. Smart mobile devices have so many
in-built sensors that have the capability to capture important information
about the context of how and where these devices are being used. Geo-location
through a combination of GPS and cellular-network positioning (even more
accurate with LTE/4G services), ambient noise levels captured through the
microphone (important in voice biometrics), user identification through the
camera and embedded fingerprint sensors (Even before Apple’s iPhone 5S and Touch
ID there were over 20 million smartphones shipped with fingerprint sensors).
All of this contextual information can be captured and then passed onto
services that support risk-based and intelligence-based authentication. A
relatively accurate identity scoring can be calculated on a continuous basis
and then fed into the authentication service providing a method of identifying
whether the authorised owner of the device is initiating a service and then
calculating whether additional authentication is required. This is sometimes
referred to as step-up verification (although step-up verification is also a
part of non- mobile authentication and RBA services).

User choice – The
road to Bring Your Own Identity (BYOI)?

We have bring your own device/platform/software…. Is it time
for bring your own identity? Let the user choose what is the most convenient
and secure way to protect their digital assets? People decide how best to
protect their property and automobile cars why not let them choose how they
should protect their digital lives?

I feel that we are already seeing evidence of this with
Internet passports, e.g. Facebook ID and Google Authenticator, that allow
registered users to authenticate to other services that support authentication
from the passport provider. For instance, if I choose to I can use my Facebook
ID to authenticate into my Spotify streaming music service.

The big question is whether this will expand to services
that are more sensitive, i.e. have more risk. Will my bank allow me to use my
Google Authenticator to login to its internet bank service and then transfer
funds out of the account? Does the bank trust credential s issued by a social
network? Possibly not funds transfer but what about a balance enquiry? Step-up
verification could be used for when I want to transact or to request an
increase to my overdraft limit.

Alternatively what if a universal digital ID was issued by a
government and managed by a trusted authentication service provider? I wouldn’t
discount it but we are at the early stages of BYOI and perhaps initiatives such
as the FIDO Alliance, Open Identity
and the GSMA’s Mobile Identity Programme may help provide the plumbing
and the initiatives to support it.